LoFP / administrators using service principal credentials to manage arc-connected clusters during maintenance windows may trigger this rule. correlate with change management records.

Techniques

• T1078
• T1552

Sample rules

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

• source: elastic
• technicques:
  • T1078
  • T1552

Description

Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The listClusterUserCredential action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN.

Detection logic

sequence with maxspan=30m
[authentication where event.dataset == "azure.signinlogs"
    and azure.signinlogs.category == "ServicePrincipalSignInLogs"
    and azure.signinlogs.properties.status.error_code == 0
] by azure.signinlogs.properties.app_id
[any where event.dataset == "azure.activitylogs"
    and azure.activitylogs.operation_name : "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome : ("Success", "success")
] by azure.activitylogs.identity.claims.appid